Saltbo Zpan Hard-Coded JWT Secret Vulnerability in Versions Through 1.6.5 and 1.7.0-beta2

A vulnerability exists in Saltbo Zpan versions through 1.6.5 and 1.7.0-beta2, where the application uses a hard-coded JSON Web Token (JWT) secret key '123' for signing tokens. This flaw allows attackers to create valid authentication tokens, bypassing security measures and gaining unauthorized access to Zpan instances. The issue arises in the 'NewToken' function within 'zpan/internal/app/service/token.go', where the static key is used with the HMAC-SHA512 algorithm for token signing. The vulnerability can be exploited remotely without authentication, but the exploitation process is complex and challenging.

Impact

Exploitation of this vulnerability allows for the creation of forged JWTs, which can be used to gain unauthorized access to the application.

Reproduction

To reproduce this vulnerability, send a request to the Zpan API with a JWT token that has been crafted using the hard-coded secret '123'. This token will be accepted as valid, allowing access to the API. The vulnerability can be demonstrated by requesting sensitive information, such as SMTP details, which will be returned if the token is accepted.